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e Longtime Qualys user 


e Brought Qualys into TravelClick in 
August 


Trave [Ci C @sc. QUALYS SECURITY CONFERENCE 2018 


an amabeus com pany 


TravelClick Overview 


e Provides Central Reservation 
Systems and Guest 
Management Solutions 


e 25,000 independent and mid- 
sized hotels in 176 countries 


e 1,200 employees 


e 3,000 servers @ 2 
datacenters (on-premise) 


e Acquired by Amedeus in 
October 2018 for $1.52B 
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Where we came from 


e Grown by acquisition — before we ourselves were 
acquired 


e 4 acquisitions over 12 years 
— One acquisition added 40% in headcount overnight 
e Everything that can be different, was different 


e Managing risk by conjecture and passed-on knowledge 
instead of documentation and fact 


e No single source of truth 
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Starting Point: Global IT Asset 


Inventory 
e Biggest problem faced by every organization 
e What is where? 


e Who owns it? (“Ghost Networks”) 
— POCs stood up then ended... but still running 
— Temp projects are never temporary 
— Test environments still remaining and never decommissioned 


e Who's taking care of it? 
e What's wrong with it? 
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Here There Be oragon 


Started with Qualys for discovery and inventory 
Installed Cloud Agent everywhere 
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Asset Grouping 


e Asset Tags and Smart Tags 
were essential for making 
sense of the data 


e Getting the right information 
to the right people 


e Management teams flow 
into Business Units 


— which leads to environments, a 
down to individual systems, anc 2 
the teams who maintain them 
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Reporting 


Senior Team Operational 
Management Management Staff 
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senior Management Reporting 


e Overall Risk instead of Vulnerability Reporting 
e Trending — improving, stalled progress, trouble areas 


e What BUs are the most risk? Do they need more 
attention? 


Lessons Learned 
Original assumptions changed after measuring with Qualys 
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Team Management Reporting 


e Present Risks for their Area 
— Interval vs. Perimeter system 


— What is it running? What data does it 
have? 


— What systems and network does it 
connect to? 


e Vulnerability Remediations vs. 
Trade-offs 


e What is New? What is Fixed? 
What comes Back? 
— WLS-WSAT after October Patch 


The Walking Dead 
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Operational Staff Reporting 


e Prioritization based on Difficulty and Technical 
Details 


— Commercial software much easier to correct than open source 
e Recommend Fixes: Patch, Configuration, Remove 
e Where is the biggest bang for the buck? 


— Can one patch eliminate multiple issues? 
— How can Security shows this to IT? 
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Lessons Learned 


Easy to get Management Follow-up 
consumed by needs data and (without 
daily firefighting evidence to act nagging) 
“Work vs. But don't confuse Understand that 
Progress” the issues with operational 
too much detail teams have 
competing 
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Q&A 
Open Discussion 


Michael Smith 
TravelClick 
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